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In the Claims : 

Please amend claim 1, please cancel claims 2-44, and please add claims 45-88, as 
shown below. 

L (Currently amended) A mcttiod of implementing node related conditions ii) a 
directory server having a tree structure using condition-defining data attached to nodes, 
the method comprising: 

attaching condition-defiTiiiig data to a given node in the tree structure, said 
condition defining data having a variable portion and a reference portion^, 

wherein said condition-defining data comprises agSSSS c^sjiQl 

information : 

attaoliipg a macro to the gj ver» Juods or to a higher level node: 

upon access to a subnode of said given node in the tree: 

generating an expanded version of the access control infomiation u$j.ng the 
macro, wherein the expanded version comprises additional 
information derived 6x>m one or m ore attributes stored at the 
directgry server; 

tentatively deriving a value for the variable portion, using the - reference 
p e ftion and a property of the subnod e , 

changing th e variable portion into th e valu -e j ^ m d 

evaluating the expanded ve rsion of the access control infonnatton condition in 
flmd Qonditton defining data as interprete d : and 
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cotitrolling access to tlie sttbnode from the result of said evaluating . 
2.-44. (Canceled) 

45. (New) A computer-implemented method, comprising: 

storing access control information for a particular node of a tree of nodes 
represeaitjiig entities managed by a directory server, wherein the access 
control inforaiation comprises at least one macro entry; 

in response to a request fixim a requester for a directory server operation targeted 
at a node of the tree^ 

generating an expanded version of the access control information using the 
at least one macro entry, wherein the expanded version comprises 
additional information derived from one or more attributes stored 
at the directory server, 

determining whether the requester has permission for the directory server 
operation, wherein said determining comprises comparing at least 
a portion of the expanded version of the access control information 
with one or more attribute values of the requester; 

in response to determining that the requester has permission, perfonning 
the directory server operation; and 

in response to determining that the requester does not have permission, 
providing a failure indication to the requester. 
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46. (New) The method as recited in claim 45, wherein the expanded version is 
derived at least 171 part by replacing the at least one macro entry with at least one 
substitute string derived from the one or more attributes stored at tbe directory server* 

47. (New) The method as lecited in claim 45, wherein the request is targeted at 
the particular node, and wherein the additional information is derived from one or more 
attributes of the particular node. 

48. (New) The method as recited m claim 45, wherein the particular node is a 
root node of a subtree of other nodes of the tree, wherein the request is targeted at an 
other node of the subtree, and wherein the additional information is derived from one or 
more attributes of the other node. 

49. (New) The method as recited in claim 45, wherein said determining whether 
tbe requester has permission for the directory server operation comprises detsnriining 
whether an attribute value of the requester matches ao attribute value specified in the 
expanded version of the access control information. 

50. (New) The method as recited in claim 4S, wherein said generating tlie 
expanded version comprises adding a plurality of jfields to the access control inforaiation, 
wherein said determining whether the requester has permission for the directory server 
operation comprises: 

in response to determining that the attribute value of the requester does not match 
flie expanded version, modifying the expanded version by removing at 
least one field of the phirality of fields from the expanded version; and 

determining whether an attribute value of the requester matches an attribute value 
specified in the modified expanded version of the access control 
information. 
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51. (New) The method as recited in claim 45, wherein the access control 
infomiation comprises two or more macro entries, including a target macro entry in a 
portion of the access control infonnation identifying a target object to which access is to 
be controlled, and a subject macro entry in a portion of the access control information 
specifying attributes of requesters to whom access is to be provided. 

52. (New) The method as recited in claim 51, wherein said generating the 
expanded version comprises replacing the target macro entry with a first substitute string, 
and replacing the subject macro entry with a second substitute string derived from the 
first substitute string. 

53. (New) The method as recited in claim 45, wherein the at least one macro 
entity identifies an attribute name, wherein the additional information comprises at least 
one string derived from a value of an attribute identified by the attribute name. 

54. (New) The method as recited in claim 5 3, wherein the attribute identified by 
the attribute name is ia multi-valued attribute, wherein the directory server stores at least a 
first value and a second value for the multi-valued attribute for the node targeted by the 
request, wherein the additional information comprises the first value of the multi-valued 
attribute, wherein said detemiining whether the requester has permission cotoprises: 

comparing a portion of the expanded version including the first value with the 
requester's value of the multi-valued attribute; 

in response to determining that the portion of the expanded version does not 
match the requester's value^ generating a second expanded version of the 
access control infomiation by replacing the Sx$t value of the multj- valued 
attribute in. the expanded version with the second value of the multi-valued 
attribute; and 
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comparing a portion of the second expanded version including the second value 
with the requester's value of the muJti- valued attribute. 

55. (New) The method as recited in claim 45, wherein the additional information 
is derived from a distinguished name of a node of the tree. 

56. (New) The method as recited in claim 45, wherein the at least one macro 
entry is included within a portion of the access control information that identifies a 
distinguished name of a group of entities defined at the directory server, 

57. (New) The method as recited in claim 45, wherein the at least one macro 
entity is included within a portion of the access control information that identifies a 
distinguished name of a role defined at the djjrectoiy server, 

58. (New) The method as recited in claim 45, wherein the at least one macro 
entity is included within a portion of the access control information that identifies at least 
one of: a distinguished name of a user identified at the directory server, and a user 
attribute defined at the directory server. 

59. (New) The method as recited in claim 45, wherein the at least one macro 
entity is included within a portion of the access control information that specifies a target 
filter used by the directory server to select nodes to which the access control information 
applies. 

60. (New) A system, comprising: 
a processor; 

a memory coupled to the processor, herein the memory stores program 
instructions executable by the processor to: 
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Store access control information for a particular node of a tree of nodes 
representing entities matiaged by a directory server, wherein the 
access control inforroation comprises at least one maoro entry; 

in response to a request from a requester for a dixectory server operation 
targeted at a node of the tree, 

generate an expanded version of the access control information 
xising the macro entry, wherein the expanded version 
includes additional information derived from one or more 
attributes stored at the directory server; 

deterroijaing whether the requester has permission for the directory 
server operation, wherein said determining comprises 
comparing at least a portion of tlie expanded version of the 
access control information with one or more attribute 
values of the requester; 

in response to determining that the requester has permission, 
perform the directory server operation; and 

in response to determining that the requester does not have 
permission, provide a failure indication to the requester, 

61. (New) The system as recited in claim 60, wherein tfie expanded version is 
derived at least in part by replacing the at least one macro entry with at least one 
substitute string derived from the one or more attributes stored at the directory server. 

62. (New) The system as recited in claim 61 » wherein the request is targeted at 
the particular node, and wherein the additional information is derived from one or more 
attributes of the parUcular node. 
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63. (New) The system as recited in claim 60, wherein the particular node is a 
root node of a subtree of other nodes of the tree, wherein the request is targeted at an 
other node of the subtree, and wherein the additional information is derived from one or 
more attributes of the other node. 

64. (New) The system as recited in claim 60, wherein said determining whether 
the requester has pennission for the directory server operation comprises determining 
whether an attribute value of the requester matches an attribute value specified in Ihe 
expanded version of the access control infotmation. 

65. (New) The system as recited in claim 64, wherein the additional information 
comprises a plurality of fields, wherein said determining whether the requester has 
permission for the directory server operation comprises: 

in response to detennining tliat the attribute value of the requester does not match 
the expanded version, modifying the expanded version by removing at 
least one field of the plurality of fields from the expanded version; and 

determining whether an attribute value of the requester matches an attribute value 
specified in the modified expanded version of the access control 
information. 

66. (New) The system as recited in claim 60, wherein the access control 
information comprises two or more macro entries, including a target macro entry in a 
portion of the access control information identifying a target object to which access is to 
be controlled, and a subject macro entry in a portion of the access control information 
specifying attributes of requesters to whom access is to be provided- 

67. (New) The system as recited in claim 66, wherein said generating the 
expanded version comprises replacing the target macro entry with a first substitute string, 
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and replacing the subject macro entry with a second substitute string derived from the 
first substitute string. 

68. (New) The system as recited in claim 60, wherein the at least one macro 
entity identifies an attribute name, wherein the additional information is derived from a 
value of an attribute idetiti fied by the attribute name. 

69. (New) The system as recited in claim 68, wherein the attribute identified by 
the attribute name is a multi-valued attribute, wherein the directory server stores at least a 
first value and a second value for tfie multi-valued attribute for the node targeted by the 
request, wherein the additional information comprises the first value of the multi-valued 
attribute, wherein said detemuning whether the requester has permission comprises: 

comparing a portion of the expanded version including the first value with the 
requester's value of the raulti- valued attribute; 

in response to determining that the portion of the expanded version does not 
rnatch the requester's value, generating a second expanded version of the 
access control information by replacing the first value of the multi-valued 
attribute in the expanded version with the second value of the multi -valued 
attribute; and 

comparing a portion of the second expanded version including the second value 
with the requester's value of the multi-valued attribute. 

70* (New) The system, as recited in claim 60, wherein the additional information 
is derived from a distinguished name of a node of the tree. 

71. (New) The system as recited in claim 60, wherein the at least one macro 
entry is included within a portion of the access control information that identifies a 
distinguished name of a group of entities defined at the directory server. 
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72. (New) The system as recited in claim 60, wherein the at lea^t one macro 
entity is included within a portion of the access control infottnation that identiiies a 
distinguished name of a role defined at the directory server. 

73. (New) The system as recited in claim 60, wherein the at least one macro 
entity is included within a portion of the access control information that identifies at least 
one of: a distinguished name of a user identified at the directory server, and a user 
attribute defined at the directory server. 

74. (New) The system as recited in claim 60, wherein the at least one macro 
entity is included within a portion of the access control information that specifies a target 
filter used by the directory server to select nodes to which the access control information 
applies. 

75. (New) A tangible, computer-readable medium, comprising program 
instructions, wherein the instructions are computer-executable to: 

store access control information for a particular node of a tree of nodes 
rqpresenting entities managed by a directory server, wherein the access 
control mformation comprises at least one macro entry; 

in response to a request firom a requester for a directory server operation targeted 
at a node of the tree, 

generate an expanded version of the access control information using die 
at least one macro entry, wherein the expanded version includes 
additional information derived from one or more attributes stored 
at the directory server; 
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determining wheth^ the requester has permission for the directory server 
operation, wherein said determining comprises comparing at least 
a portion of the expanded version of Hie access control information 
with one or more attribute values of the requester; 

in response to determining that the requester has peimission^ perform the 
directory server operation; and 

in response to detemiining that the requester does not have permission, 
provide a failure indication to the requester. 

76, (New) The computer-readable medium as recited in claim. 75, wherein the 
expanded version is derived at least in part by replacing the at least one macro entry with 
at least one substitute string derived from the one or more attributes stored at the 
directory server, 

77. (New) The computer-readable medium as recited in claim 75, wherein the 
request is targeted at the particular node, and wherein the additional informatioa is 
derived from one or more attributes of the particular node. 

78, (New) The computer-readable medium as recited in claim 75, wherein the 
particular node is a root node of a subtree of other nodes of the tree, wherein the request 
is targeted at an other node of the subtree, and wherein the additional inforrnation is 
derived from one or more attributes of the other node, 

79. (New) The computer-readable medium as recited in claim 75, wherein said 
determining whether the requester has permission for the directory server operation 
comprises determining whether an attribute value of the requester matches an attribute 
value specified in the expanded version of the access control information. 
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80. (New) The computer-readable medium as recited in claim 79, wherein the at 
additional information comprises a plurality of j5elds, wherein said determining whether 
the requester has permission for the directory server operation comprises: 

in response to determining that the attribute value of the requester does not match 
the expanded version, modifying the expanded version by removing at 
least one field of the plurality of fields from the expanded version; and 

determining whether an attribute value of the requester matches an attribute value 
specified in the modified expanded version of the access control 
information. 

8L (New) The computer-readable medium as recited in claim 75, wherein the 
access control information comprises two or more macro entries, including a target macro 
entry in a portion of the access control infonnation identifying a target object to which 
access is to be controlled, and a subject macro entry in a portion of the access control 
information specifying attributes of requesters to whom access is to be provided. 

82. (New) The computer-readable medium as recited in claim 81, wherein said 
generating the expanded version comprises replacing the target macro entry with a first 
substitute string;, and replacing the subject macro entry with a second substitute string 
derived from the first substitute string. 

83. (New) The computer-readable medium as recited in claim 75, wherein the at 
least OTje macro entity identifies an attribute name, wherein the additional information is 
derived from a value of an attribute identified by the attribute name. 

84. (New) The computer-readable medium as recited in claim 83, wherein the 
attribute identified by the attribute name is a multi-valued attribute, wherein the directory 
server stores at least a first value and a second value for the multi-valued attribute for the 
node targeted by the request, wherein the additiotjal information comprises the first value 
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of the multi-valued attribute, wherein said detenmning whether the requester has 
permisstoft comprises: 

comparing a portion of the expanded version including the first value with the 
requester's value of the multi-valued attribute; 

in response to determining that the portion of the expanded version does not 
match the requester's value, generating a second expanded version of the 
access control information by replacing the first value of the multi-valued 
attribute in the expanded version with the second value of the multi-valued 
attribute; and 

comparing a portion of the second expanded version including the second value 
with the requester's value of tlie multi-valued attribute. 

85. (New) The computer-readable medium as recited in claim 75, wherein the 
additional information is derived fi^m a distinguished name of a node of the tree. 

86. (New) The computer-readable medium as recited in claim 75, wherein the at 
least one macro entry is included witliin a portion of the access control information that 
identifies a distinguished name of a group of entities defined at the directory server. 

87. (New) The computer-readable medium as recited in claim 75, wherein the at 
least one macro ratity is included within a portion of the access control information that 
identifies a distbiguished name of a role defined at the directory server. 

88. (New) The computer-readable medium as recited in claim 75, wherein the at 
least one macro entity is included within a portion of the access control information that 
identifies at least one of: a distinguished name of a user identified at the directory server, 
a user attribute defined at the directory server, and a target filter used by the directory 
server to select nodes to which access control information applies. 
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